Victims of the WannaCry ransomware who haven't backed up their files have a tough choice: take a risk paying the ransom or just accept the loss. But there's a small glimmer of hope: French researchers have figured out a way to decrypt files without paying. But their tools only work on some affected devices, and only if they have not been powered off or rebooted.

Adrien Guinet, a security researcher with Paris-based Quarkslab, published the tool, called WannaKey, on GitHub, which works only with infected systems that run Windows XP as well as Windows 7.

Still, Guinet says it's worth a try. WannaKey is being received well given the alternatives for dealing with the ransomware.

"His tool is very ingenious as it [doesn't] look for the actual key but the prime numbers in memory to recompute the key itself," writes Matt Suiche, founder of Comae Technologies. "In short, his technique is total bad ass and super smart."

May 19 update: Suiche says an updated version of the similar WanaKiwi decryption tool allows it to potentially work with all affected versions of Windows. The EU's law enforcement intelligence agency, Europol, has seconded the researcher's findings.

WannaCry swept across the world on May 12, infecting about 216,000 Windows computers with a speed not seen since mega-worms like Love Bug and SQL Slammer in the early 2000s (see Teardown: WannaCry Ransomware).
It exploited a Windows software flaw, (MS17-010), using an exploit believed to have originated with the NSA but leaked in April by the Shadow Brokers hacking group.

Time is of essence: WannaCry warns victims they have three days to pay $300 in bitcoin before the ransom rises to $600. If that isn't paid after a week, the data is locked forever.

Prime Numbers

WannaCry's code has been pored over by analysts, part of a worldwide effort to find clues of who might be responsible and also for weaknesses in how it encrypts files.

Guinet, however, came across an odd way that Windows XP handles the generation of encryption keys.

WannaCry uses the RSA algorithm to create the public and private keys, which are derived from long prime numbers. The private key decrypts files. That key generation process occurs in memory. In later versions of Windows, such as 7 and 10, the operating system tidies up after that process and erases the prime numbers. But for some reason that doesn't occur in XP. The particular function, CryptDestroyKey, instead just erases a handle related to the key.

Matthew D. Green, a cryptography expert and assistant research professor in the department of computer science at Johns Hopkins University, dug up the Microsoft documentation.

It says, in part, that many cryptographic service providers "overwrite the memory where the key was held before freeing it. However, the underlying public/private key pair is not destroyed by this function. Only the handle is destroyed."

The by-design wrinkle, however, is critical to the recovery of files. Guinet's tool tries to find those prime numbers for the private key. But if the machine has been rebooted, the numbers are lost. It is also possible to lose them if the machine's memory has simply been overwritten due to normal activity.

"If you are lucky (that is, the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory," Guinet writes in the WannaKey readme on GitHub. "That's what this software tries to achieve."

Development Errors

Whoever wrote WannaCry was likely unaware of the issue in XP. It's also likely they didn't care. Microsoft ended mainstream support for XP in 2014, although it did take the unprecedented move of issuing an emergency patch for XP and other older Windows systems due to the severity of WannaCry.

XP still accounts for about 7 percent of the Windows market. Organizations such as the U.K. National Health Service still have some devices running XP in service. But after its troubles with WannaCry, the NHS denied the impact was due to widespread use of XP, which runs on less than five percent of its systems.

Aside from not noticing the XP key generation quirk, WannaCry's developers also made numerous other errors, such as failing to create a separate bitcoin payment address for each victim. This means the attackers may have trouble identifying which victim to receive the decryption key, according to Check Point. They also inadvertently left a kill switch in the code, which allowed a British security researcher to luckily halt the spread of the malware.

The mistakes are an encouraging sign, however, that there might be more glitches that will allow WannaCry to be defanged. Guinet's research has also inspired another project from Benjamin Delpy to work on a similar decryption method. It can't come too soon. Time for many encrypted machines - and their victims - is running out.

About the Author

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;